joren
January 12th, 2009, 15:20
Open the file in OllyDbg. Will look something like the following:
The call at the bottom is not always ExitProcess (GlobalLock, VirtualProtect, etc)
Go to address 00401000 in the dump and set a Breakpoint -> Hardware, on access -> Byte and run with F9
An access violation will occur on 00401092. This is intentional, press Shift+F9 to pass exception to the program
Your breakpoint will eventually hit and you may need to re-analyze (ctrl-a):
Execute the return. You will then land in an area like the following:
Execute the return here as well. You will then land in an area like the following:
Remove all breakpoints at this point. Note the CALL EAX at 00401810. Step into this call:
Continue single-stepping. Once you step over the call located at 00921777 you will see some modules were loaded (Alt-e). We are getting somewhere..
At this point go to the memory map (Alt-m), right-click the malware's .text section -> Set break-on-access. Now run with F9 again. You should get a break-on-access when writing to 00401000:
Now we know we have required modules loaded and we are writing code...Scroll down a bit and you will see:
Looks like your typical UPX jump to OEP code... Remove all breakpoints and set a hardware breakpoint on execution on the JMP (004ED28C) and run with F9. The breakpoint should hit and now single-step execute the instruction. You should land here:
At this point we can dump the debugged process and fix the imports. As a note, Olly had some issues dumping this (atleast for me) so I simply used LordPE. This method is obviously not the shortest, but was the initial flow I took when attempting to unpack it. Again, the addresses will obviously change, but the areas of code and this unpacking method seem to work well.
Nothing too difficult, but someone may learn/benefit from the above. Ping me if you see any errors...
Code:
00401023 >/$ 55 PUSH EBP
00401024 |. 8BEC MOV EBP,ESP
00401026 |. 6A FF PUSH -1
00401028 |. 68 DC254000 PUSH card.004025DC
0040102D |. 68 E1104000 PUSH card.004010E1 ; SE handler installation
....
0040108D |. B8 56224000 MOV EAX,card.00402256
00401092 |. 8902 MOV DWORD PTR DS:[EDX],EAX
00401094 |. 50 PUSH EAX ; /ExitCode => 402256
00401095 \. FF15 4C304600 CALL DWORD PTR DS:[<&kernel32.ExitProces>; \ExitProcess
The call at the bottom is not always ExitProcess (GlobalLock, VirtualProtect, etc)
Go to address 00401000 in the dump and set a Breakpoint -> Hardware, on access -> Byte and run with F9
An access violation will occur on 00401092. This is intentional, press Shift+F9 to pass exception to the program
Your breakpoint will eventually hit and you may need to re-analyze (ctrl-a):
Code:
004011C3 |. 89C1 MOV ECX,EAX ; landed here
004011C5 |. 83E1 03 AND ECX,3
004011C8 |. 83C6 03 ADD ESI,3
004011CB |. 83C7 03 ADD EDI,3
004011CE |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
004011D0 |. FC CLD
004011D1 |> 5F POP EDI
004011D2 |. 5E POP ESI
004011D3 \. C3 RETN
Execute the return. You will then land in an area like the following:
Code:
00401663 |> 8D55 F4 |LEA EDX,DWORD PTR SS:[EBP-C]
00401666 |. 52 |PUSH EDX
00401667 |. 6A 40 |PUSH 40
....
00401681 |. FF4D F0 |DEC DWORD PTR SS:[EBP-10]
00401684 |.^75 8F \JNZ SHORT card.00401615
00401686 |> 5F POP EDI
00401687 |. 5E POP ESI
00401688 |. 5B POP EBX
00401689 |. 8BE5 MOV ESP,EBP
0040168B |. 5D POP EBP
0040168C \. C2 1000 RETN 10
Execute the return here as well. You will then land in an area like the following:
Code:
004017FF |. 8B7424 04 MOV ESI,DWORD PTR SS:[ESP+4]
00401803 |. 2BF3 SUB ESI,EBX
00401805 |. BF E8164000 MOV EDI,card.004016E8
0040180A |. 03FE ADD EDI,ESI
0040180C |. 89F8 MOV EAX,EDI
0040180E |. 53 PUSH EBX
0040180F |. 56 PUSH ESI
00401810 |. FFD0 CALL EAX
Remove all breakpoints at this point. Note the CALL EAX at 00401810. Step into this call:
Code:
009216E8 55 PUSH EBP
....
0092176A E8 29FDFFFF CALL 00921498
0092176F 8BCB MOV ECX,EBX
00921771 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00921774 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00921777 E8 30FDFFFF CALL 009214AC
0092177C 83F8 01 CMP EAX,1
0092177F 75 20 JNZ SHORT 009217A1
....
0092179A FF13 CALL DWORD PTR DS:[EBX] ; kernel32.CreateThread
0092179C 6A FF PUSH -1
0092179E FF53 04 CALL DWORD PTR DS:[EBX+4] ; kernel32.Sleep
009217A1 6A 00 PUSH 0
009217A3 FF53 24 CALL DWORD PTR DS:[EBX+24]
Continue single-stepping. Once you step over the call located at 00921777 you will see some modules were loaded (Alt-e). We are getting somewhere..
At this point go to the memory map (Alt-m), right-click the malware's .text section -> Set break-on-access. Now run with F9 again. You should get a break-on-access when writing to 00401000:
Code:
004ED0F3 8807 MOV BYTE PTR DS:[EDI],AL ; bp hits here
004ED0F5 47 INC EDI
004ED0F6 01DB ADD EBX,EBX
004ED0F8 75 07 JNZ SHORT card.004ED101
004ED0FA 8B1E MOV EBX,DWORD PTR DS:[ESI]
004ED0FC 83EE FC SUB ESI,-4
004ED0FF 11DB ADC EBX,EBX
004ED101 ^72 ED JB SHORT card.004ED0F0
004ED103 B8 01000000 MOV EAX,1
004ED108 01DB ADD EBX,EBX
004ED10A 75 07 JNZ SHORT card.004ED113
Now we know we have required modules loaded and we are writing code...Scroll down a bit and you will see:
Code:
004ED27E 61 POPAD ; restore registers
004ED27F 8D4424 80 LEA EAX,DWORD PTR SS:[ESP-80]
004ED283 6A 00 PUSH 0
004ED285 39C4 CMP ESP,EAX
004ED287 ^75 FA JNZ SHORT card.004ED283
004ED289 83EC 80 SUB ESP,-80
004ED28C ^E9 0121FAFF JMP card.0048F392 ; jmp to OEP
004ED291 0000 ADD BYTE PTR DS:[EAX],AL
Looks like your typical UPX jump to OEP code... Remove all breakpoints and set a hardware breakpoint on execution on the JMP (004ED28C) and run with F9. The breakpoint should hit and now single-step execute the instruction. You should land here:
Code:
0048F392 E8 3AC50000 CALL card.0049B8D1 ; OEP
0048F397 ^E9 16FEFFFF JMP card.0048F1B2
0048F39C CC INT3
At this point we can dump the debugged process and fix the imports. As a note, Olly had some issues dumping this (atleast for me) so I simply used LordPE. This method is obviously not the shortest, but was the initial flow I took when attempting to unpack it. Again, the addresses will obviously change, but the areas of code and this unpacking method seem to work well.
Nothing too difficult, but someone may learn/benefit from the above. Ping me if you see any errors...